Follow Us On Social Media

Virtual Private Networks (VPNs), which is widely used by many businesses and organisations to provide secure access to their workers, are being abused to pilfer corporate user credentials.

Researchers from security firm Volexity discovered a new attack campaign that targets a widely used VPN product by Cisco Systems to install backdoors that collect employees' usernames and passwords used to login to corporate networks.

The backdoor contains malicious JavaScript code that attackers used to inject into the login pages. Once injected, the backdoor is hard to detect because the malicious JavaScript is hosted on an external compromised website and accessed only via secure HTTPS connections.

"Unfortunately, Volexity has found that [many] organizations are silently being victimized through this very login page," Volexity wrote in a blog post published Wednesday. "This begs the question: How are the attackers managing to pull this off?"

Methods to Install Backdoor

According to researchers, the backdoor is installed through two different entry points:

An exploit that relies on a critical flaw (CVE-2014-3393) in the Clientless SSL VPN that Cisco patched more than 12 months ago.

Hackers gaining administrative access and using it to load the malicious code.

Infected Targets

Volexity observed this new campaign successfully infected the following organisations:

Medical Think Tank

Universities, NGOs and Academic Institutions

Multinational Electronics manufacturers

Non-governmental organizations

In response to the issue, a Cisco spokesperson released a statement saying that the company is aware of the Volexity report and that it released the patches last year.

Cisco customers can also protect themselves against such threats by following Firewall best practices, the official added.

You can head on to Volexity official blog post, where the company has provided full technical details about the attack, along with suggestions for detecting and removing the VPN infections.